File system

ABSTRACT

A digitally signed file system in which data, metadata and files are objects, each object having a globally unique and content-derived fingerprint and wherein object references are mapped by the fingerprints; the file system has a root object comprising a mapping of all object fingerprints in the file system, such that a change to the file system results in a change in the root object, and tracking changes in the root object provides a history of file system activity.

BACKGROUND OF THE INVENTION

The invention generally relates to computer storage, and more specifically to a file system.

A fully featured storage solution may include raw disks, a file system, snapshots, file versioning, compression, encryption, built-in capacity optimization (e.g., data deduplication), other security features such as auditing and tamper resistance, efficient replication to an off-site location for disaster recovery purposes, and so forth. Many of these features are delivered in separate appliances that then have to be connected by highly experienced technicians.

Constructing such a storage solution with today's technology, for many terabytes (TBs) of data, often results in a multi-box solution that can easily exceed costs of $100,000, making such a fully featured storage solution not available to many businesses and customers.

This multi-box, ad-hoc solution is not a fundamental aspect of storage, but rather that file system architectures and implementations have not kept up with other technology developments. For example, most file system architectures have not evolved to fully leverage the faster computer processing units (CPUs), flash memory, and the different balance between network bandwidth, disk density and disk access rates.

If one defines data accessibility as the ratio of access bandwidth to addressable storage, the accessibility of data is decreasing. Storage densities are increasing faster than the access to the disks, so for a given data set size, the time needed to access the data is increasing (and thus causing reduced accessibility). The effect on storage architectures is as follows: once one stores the data, one should not move it unless absolutely necessary. This simple observation is violated many times in current storage architectures where data is constantly being read in and written out again. The result is significant extra expense (e.g., 10 channels, CPU, power, time, management).

SUMMARY OF THE INVENTION

A novel way of building a file system that integrates a combination of features at a fraction of today's cost is described.

The described file system can be realized in a pure software form, running on a computer as any other file system. Furthermore, the organization of the integrated file system lends itself to unique hardware acceleration techniques that are not possible with legacy file systems. The hardware acceleration enables more performance for a given cost, or a lower total cost of ownership for a given performance level.

The invention is a file system with an integrated feature set. The file system is implemented as a stack including two distinct file systems, an object file system and a namespace file system. The stack is fully POSIX® compliant, and can be used wherever a POSIX® compliant file system is called for, such as second extended file system (EXT2), third extended file system (EXT3), ReiserFs, and so forth.

The lower portion of the stack is an object file system. The object based file system is used to host the data in the form of objects. Objects are opaque, binary blobs of data. Object size can vary, but is typically bounded to a range of a few kilobytes (KBs), but not required for correct operation of the invention. The name of the object is derived from the object's content using a strong cryptographic hash. This enables the object name to be globally unique and identifiable, i.e. a fingerprint of the content. The object file system is primarily machine-oriented.

Two fingerprints that are equal will for all practical purposes represent the same content, regardless of where the fingerprints were calculated. Conversely, two fingerprints that are different represent different content. As fingerprints are significantly smaller than objects (a factor of 100×, 1000× or more), manipulating fingerprints is often faster and easier than manipulating the underlying content.

The object file system described here is lightweight and flat, distinct from heavyweight object file systems such as described in the ANSI T-10 spec, or content addressable file systems such as the commercially available EMC Centera®, or Hitachi's product (acquisition via Archivas). Objects, as used here, should not be confused with objects as used in programming languages such as C++ and Java.

Object file systems have an “index” that tracks all of the objects. The construction and management of such an index is a major challenge for object file systems, where there can be many millions, or even billions of entries in the index.

At the top of the stack is a namespace file system. This is similar to other POSIX® file systems in that it has concepts such as files, directories, and so forth. A difference however is that instead of using logical block number addressing (LBN) to access content, object fingerprints are used. Furthermore, all internal data structures of the namespace file system are themselves objects. Thus, the entire storage stack (namespace and object layer) is “knitted” together by object references, and having the fingerprint of the object representing the root enables one to completely and unambiguously define the entire file structure.

In a sense, this is a digitally signed file system. Any change (adds, deletes, metadata change, reads) results in the file system's signature to be changed. By tracking the root signature, one in practice gets a complete history of all file system activity.

At the heart of the invention, this division of labor into two separate file systems, and how they interact, is done in such a way that deduplication, snaps, writeable snaps, continuous data protection (CDP), wide area network efficiency, versioning, file system integrity checking and immutability falls out naturally, while still preserving POSIX® semantics.

The organization of the file system enables the application of hardware assist. The hardware assist is in two forms. One form is for compute acceleration, such as compression, encryption and cryptographic digests. The second form is for the construction and maintenance for a large index that is in turn used to build a practical object store.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be more fully understood by reference to the detailed description, in conjunction with the following figures, wherein:

FIG. 1 illustrates how the invention is integrated into an existing operating system kernel or user space. The user space version uses FUSE, File system in USEr space, a public domain infrastructure that enables a practitioner to write a user mode file systems.

FIG. 2 denotes the major components of an object store, and how that object store can be hosted on a variety of physical media.

FIG. 3 shows how an object store can abstract out key functionality so that said functionality may be implemented in a variety of ways without impacting the object store design. Implementations may range from a pure software solution, to one using hardware acceleration.

FIG. 4 illustrates how a set of objects may be grouped together into a construct (“hnode”) that is a basic building block of the integrated file system.

FIG. 5 shows how an hnode can be specialized into other data structures needed by the file system, such as files, directories and imaps.

FIG. 6 shows how changes to the file system are tracked and maintained over time, and how the techniques use naturally result in space efficiency, immutability and security.

FIG. 7 shows how an object can transparently handle compression, encryption and location independence while providing a globally unique name for the object.

FIG. 8 shows how the invention may be implemented in user space with FUSE. FUSE is an open source set of libraries and kernel modules that enable the construction of file systems in user space (file systems are normally done in kernel space).

DETAILED DESCRIPTION Legacy File Systems

A traditional file system has several basic data structures. In addition to user visible directories and files, internal structures include super blocks, inodes, allocation maps, and transaction logs.

Allocation maps are data structures that denote which blocks on a disk are in use or not. These data structures can be as simple as a bitmap, or as complicated as a btree. Allocation maps can be large, and almost never fit in memory. Naive allocation of new blocks results in low disk performance, but optimal placement requires sophisticated allocation algorithms given the aforementioned memory limitations.

Directories are list of names of files and other directories, and in many file systems, are treated as another file type that is just interpreted differently. Internally a directory is a list of filename/inode# pairs. When the file system wants access to a filename, it must find the filename in a directory, and the corresponding inode number.

Files are named collections of data. A file name, along with the inode it references, is stored in a directory structure. Many file systems support the concept of links, where different file names can point to the same data (inode).

Transaction logs are used to keep the file system consistent in accordance with Atomic, Consistent, Independent and Durable (ACID) properties. Many file systems will guarantee metadata consistency, but have different service level agreements (SLAs) for data.

A superblock is a small data structure that resides at a known location on a disk or persistent medium. From the superblock, all other data structures relevant to the file system can be found, such as the size and location of the inode table, allocation maps, the root directory, and so forth. When a file system is mounted, it is the superblock that is first accessed. For safety reasons, superblocks are often replicated at various points on a disk.

Perhaps the most fundamental data structure is the inode (“index node”). Common to many file systems, it is a data structure that is the basic container for content, such as a file. The inode itself does not contain a filename; that is stored in the directory. An inode is identified by an integer that denotes an index into a disk resident data structure (the inode table). Each inode entry in the table describes where on the disk the content can be found for this file. This “map” can take various forms, including linear lists, indirection tables, various tree types, each of which have various speed/space tradeoffs. Important is that the map uses physical or logical addressing, such as a logical block number (LBN). An LBN only makes sense if you know which disk it is intended for.

From the above description, it should be clear that legacy file systems have tight control of the what (content) and the where (placement of data). This co-mingling of what and where, largely an artifact of history, results in an architecture that is difficult to extend to modem storage needs.

Integrated File System

Object Store

The object store is a flat collection of opaque data (objects). Each object is unique, and has reference counts (the number of times it is referenced by the namespace file system). An object's name is a cryptographic hash of the object's content, i.e., change the content and the name must change.

Any sufficiently strong cryptographic hash is acceptable for generating object digests. By way of example, we use Secure Hash Algorithm-1 (SHA-1) as a proxy for all such digests. The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA-1 is the best established of the existing SHA hash functions, and is employed in several widely used security applications and protocols.

In practice, object sizes are typically powers of 2, and range from 512 bytes (29) up to 1 MB (220) or more, although there is no architectural restriction on the size of an object.

A typical object size is 2 KB (211 bytes). For an 8 TB (243 bytes) file system, that is 2³² objects roughly 2 billion objects. Each object's entry in the index is about 32 (2̂5) bytes, so the object index, assuming it is densely packed, is 2³⁷, or 128 GB, or about 2% of the total file system space. Other object sizes can be used with no loss in applicability or generality.

Objects are compressed and encrypted transparently to the user of the object. Object names are based on clean, uncompressed data+salt. What is actually stored in the object is one of (clean), (clean compressed), (clean, compressed encrypted) or (clean encrypted) data.

Objects are typically read/written with clear data only, and the compression/encryption happens internal to the object store.

Using strong cryptographic digests enables objects to have globally unique and consistent names. Two objects with the same name will, for all practical purposes, have the same content.

NameSpace

The namespace file system is similar in appearance to legacy file systems. It has files, a directory structure, links, a superblock, and so forth. Names are normal, human-readable names.

The namespace file system doesn't contain data directly, instead all data is stored in objects. Objects are relatively small, and frequently larger data structures are needed. The structure that aggregates objects is called an hnode, similar to inodes in other file systems.

As a practical manner, a file system that plugs into a Unix or Linux environment needs to expose inode numbers. Inodes are numbers that uniquely identify a file.

hnode

The hnode is functionally similar to an inode in other file systems. It is a data structure that ties together content, such as a file. Sometimes content can be very large (many GB), and does not fit contiguously on a disk or persistent medium. The content is broken up, and stored as discrete units. In the case of traditional file systems, this would be blocks on disk. In the invention; these are objects. The hnode keeps a list of all the objects in a mapping structure. Linear lists are one example of such a mapping structure, but more complicated indirection tables are also possible.

There are two main differences between an hnode and inode. First is that an hnode uses object fingerprints to identify content, whereas an inode uses physical or logical block addressing. Second, is that an hnode has a well defined, globally unique, name (the hash of it's content+salt).

Imap

Unique to the invention is an imap, which converts an inode number into an object fingerprint, or name. This fingerprint typically an hnode, which is in turn interpreted in various ways depending on context. This enables the rest of the namespace file system to deal with inode numbers, which is essential, as many user level utilities need to see such a construct. In some sense, this provides an additional layer of indirection (or virtualization) over a traditional static inode table.

By using this indirection table, an inode number can stay constant, but the associated object name (fingerprint) can change as the file corresponding to the inode changes. Since the imap itself is an object, that name too will change as file system is modified.

In a traditional file system, the root directory is at a known inode #, and in the case of the imap, that is also the case.

If you have a fingerprint of the imap, you essentially have a complete “snap” of the file system. Bumping the reference count of every visible object underneath this fingerprint locks the snap, and prevents it from being deleted regardless of other file system activity.

Once you have a snap fingerprint, you can continue working on the file system (writeable snaps), remember it for future use (perhaps for disaster recovery purposes). You can also publish the snap fingerprint to another system, sitting on a distinct object store. If an object store can't resolve a read request of a particular fingerprint, to the extent that it is aware of other object stores, it may forward the request to those stores. Thus, the snap's fingerprint may move to a system whose object store may not fully host all of the snap's data (objects), but via the mechanism just described is still fully consistent and usable.

Super Block

The superblock is a data structure that is used when an object store lives on persistent media. It lives in a known location(s). It describes where the allocation maps, imap, object pool, index and other structures live on the medium. An object store always has globally unique identifier (GUID), which represents that unique instance of an object store.

In the case where the object store participates in a large object pool, the superblock also contains the GUID of the larger pool, and the GUIDs of all the members, and the relationship of the members (stripped, replicated, erasure coded etc).

File

A file construct 504 is derived from an hnode 401. It has all of the normal POSIX® semantics regarding files, such as read, write, open, close, and so forth.

Directory

A directory is a specialized version of an hnode. It contains a map of (inode number, name) pairs. A linear list, vector or other more complicated structures are example implementations. The map at a minimum must be serializable a deserializable in order to persist it to an hnode. Depending on the mapping structure, random access is also possible.

Tracking

As a file system is modified due to normal writes, deletes and reads (observe that a read changes access times), the objects and hnodes constituting that file system also change. This results in a history of root hashes, which at a very fine granularity is called continuous data protection (CDP), and at a coarser granularity, snaps. The difference is only in how often the root hashes are captured.

Every object in the system must be accessible through at least one root hash.

As an hnode H is written, a new hnode H′ is created, and if more changes occur, possibly H″. These changes may accumulate, but at some point the last change propagates back up to the root. This pending input/output (10) enables the file system to accumulate changes and not propagate up to the root on every change. How often this happens is policy based. Reference counts for objects in the middle of the change list H->H′->H″ must be dealt with accordingly so that there are not dangling references, or unreachable objects.

Referring now to FIG. 1, shown are various storage components in an operating system kernel. Although drawn from a Linux environment, the diagram is generic enough that it applies to other operating systems such as Windows®, Solaris® and other Unix class operating systems.

An example of a POSIX® 104 style file system, where POSIX® can be anyone of any number of file systems such as ResierFs, Exts, btrfs and zfs with no loss in generality. A virtual file system layer 103 is used to abstract out many common features of file systems, and provides a consistent interface 160 to user space and other components. The VFS 103 also has a well defined “lower edge” interface 150 that any file system must use (if it expects to be recognized by the VFS 103 layer). In practice, there are typically many file systems working in parallel.

File systems normally sit on top of a block storage abstraction, implemented by block drivers 105. The block storage may be local on a LUN 109, or it may be on a remote LUN using an iSCSI protocol. Block Drivers 105 also have well defined interfaces in an operating system.

The invention works alongside the other file systems in the kernel. It is composed of a namespace file system 107 that is stacked on top of a lightweight object file system 108. The interface 152 between the two components in a preferred implementation is private, although industry standard object interfaces such as the ANSI T-10 object standard can be used.

The Object file system 108 in turn is partitioned such that a library of commonly used functions, the Digest, Indexing, Compression, Encryption (DICE) library 310 is abstracted out. The library 310 may be realized completely in software, or take advantage of a variety of hardware acceleration 113 techniques, one of which is illustrated.

The object file system 108 creates an object container 206 that may sit on top of a raw LUN, a partition on a disk, or a large file. It may also reference containers via a network stack using protocols such as iSCSI or other remote access block protocols (FCoE being another example).

Referring to FIG. 2, Object Store 108 is further decomposed. Object store 108 contains binary, opaque objects, examples of which are P 201, Q 202 and R 203. Objects may be of varying size, although in a preferred implementation they are powers of 2. An object resides at some offset in the container, which may be a byte offset, or an offset modulo the smallest object size (i.e., if the smallest object is 512 bytes, then the offset would be multiplied by 512 to get the byte offset).

Each object has a name, which is a cryptographic digest (hash) of the object's entire content, plus some site specific salt. In FIG. 2, the names are denoted by H(P), H(q) and H(r).

An index structure 204 keeps track of object names, object locations, and object references. An object's reference is incremented every time the object is written. The namespace file system 107 may generate what it thinks are many copies of the same object; the object store only stores one, but keeps track of how many the namespace actually thinks it has.

The object store has several interface classes. The read, write, delete interface 152 a does exactly that for objects. An object deletion in this context is really a decrement of the object's reference count. Storage for the object inside the object store will be released only when the reference count goes to 0.

The indexing operations 152 b enable enumeration of objects by name, reference count adjustments, looking up of objects by name.

The object store has transactional semantics (ACID properties), and transaction boundaries are managed through the transactional operations 152 c. This includes start, commit and abort of a transaction, in addition to listing of pending transactions.

A provisioning interface 152 d enables object stores to be created, deleted, merged, split and aggregated.

The index 204 is a map, who's primary key is the object name. As discussed elsewhere, the index can be very large. There is an index entry for every object in the system. Each entry contains:

A fingerprint of the object's content. Fingerprints are generated by a cryptographic digest over the content, with a small amount of additional content (“salt”) appended. The salt is common to all objects in the object store.

A reference count indicating how many times the object is referenced. The reference count may use saturating arithmetic to save space. For example, it may only use 8 bits to track references: the reference count can be added and decremented, but if it equals or exceeds 255, the count “saturates”, and no further decrements are allowed.

A physical locator. If the object is on a physical disk, this may be a LBN. If the object is hosted by a hosting provider (e.g., Amazon S3), then it would be a reference to the cloud object.

Flags for various uses. One flag indicates if the object is stored compressed or not, another if encrypted or not. Other flags are available, but are not allocated to a specific use.

The allocation map 220 is normal bitmap used for allocated blocks on the object container 206.

The object container 206 is a randomly addressable persistent storage abstraction. Examples include a raw LUN, a file, a partition on a disk, or an iSCSI device across the WAN.

The object container 206 has several components (not shown to scale). Aside from the container descriptor block 207, which lives at a known offset, the order of the other components is not material.

The index 208 may have container resident portions, or portions in memory 204, or both, such as a Btree. The allocation map 210 also may be partially on disk and in memory 220. Migration between the two can be accomplished with paging techniques.

As the object store is modified, a transaction log 211 is kept on persistent storage. The log tracks all object activity, including reads, writes, deletes, reference adjustments, and so forth. The log is kept in time order, and is periodically rolled into main index. Object activity must “hit” on the log first before searching the main index. Each log entry consists of an operation type 152 a, 152 b, 152 c, 152 d, the fingerprint, reference value, transaction ill or epoch number, and pool location. A log entry is structurally similar to an index entry, with the addition of the transaction id.

Global object naming enables an object store to move objects around while still preserving consistent naming and access. Reasons for moving an object include:

Moving related objects close to each other on a physical disk, for performance reasons.

Replicating objects across fault boundaries. This can be across two separate disks, a disk and a remote disk, or any multiple thereof. Replication can also confer read performance benefits. Replication can also include splitting objects, such as with erasure codes.

Background operations on objects such as compression, decompression, encryption, decryption, and so forth.

Moving objects based on temperature, i.e. their frequency or expected frequency, of use.

In FIG. 3, element 300 illustrates the relationship of the object store 108 with the DICE library 310. The library 310 abstracts out common features of the object store, such as digests 153 a, indexing 153 b, compression 153 c and encryption 153 d.

While providing a consistent interface, internally the library may use a variety of techniques to deliver the services. Implementation techniques include software only, partial hardware assist (Intel QuickAssist®, for example), or a custom hardware implementation that can store large amounts of index, or any combination of the above.

If using a proprietary hardware accelerator 113, that accelerator has two broad classes of service: one for compute intensive operations III (compression, encryption, fingerprinting), and another for memory intensive operations 112 such as an index. A hardware implementation may have one or the other, or both.

FIG. 4 illustrates key components of an hnode structure. Compared to a legacy file system, the hnode has a similar role as the inode. It uses object identifiers (fingerprints) to identify content rather than physical/logical block addressing that legacy inodes use.

An hnode and related structures can be thought of as an unnamed file. It is a sequence of content, like a file, that can be randomly read, written, appended to, created, deleted and truncated. Content can be access on arbitrary byte boundaries, and with arbitrary ranges. How the content is interpreted depends on context.

An hnode 401 has a stat structure that is a POSIX® structure used for file metadata. Part of that structure includes the byte length of the file, or hnode in this case. The data sequence is broken into discrete objects, for example, S 410, T 411 and U 412 in FIG. 4. The names of each object are stored in a mapping table 402, which records the fingerprints of each of S, T and U. Objects do not necessarily have to be the same length.

The mapping table 402 may have various representations, including a linear list, a tree structure, or an indirection structure, with no loss in generality. A mapping table 402 is indexed by an offset into the content (the sequence S, T, and U) to determine which object(s) are to be referenced, in a manner similar to the way standard Unix inode indirection tables work.

An hnode itself is an object, and thus has a unique name. As any of the stat structure, the mapping table 402, any of the referenced objects change, then the hnode's name (fingerprint) will also change.

An hnode may be randomly accessed for both read, write and append. Hnodes support sparse space, where data that has not been written returns a known value (typically 0).

Any change to an hnode results in a new hnode, as the hnode's name is a function of its content. The original hnode may be dereferenced, or kept (by increasing the reference count), depending of file system policy.

An hnode 401 may have addition structures, such as a standard Unix “stat” structure 420.

As shown in FIG. 5, an hnode 401 is a randomly addressable sequence of content, similar to a file. How that content is interpreted depends on context. In the present invention, an hnode is further specialized into files, directories and imaps. In the parlance of object oriented programming, the classes file, directory and imap are derived from the base class hnode.

A file 504 is a thin wrapper that makes an hnode appear as normal POSIX® file that can be opened, closed, read, written, and so forth.

A directory 505 is another interpretation of an hnode 401. A directory 505 is a mapping 501 of names to inode numbers. The mapping can take various forms, including but not limited to, a linear list, B-trees, and hash maps. If the map 501 is entirely in memory, it is a requirement that the map can be serialized and deserialized.

An imap (“inode map”) 502 translates inode numbers into an object fingerprint. The object may represent an hnode (and therefore by extension, a file, directory or other imap), a structure such as a superblock, or other data.

An imap may have reserved locations, such as index 0, index 1, and so forth, for well know objects. Examples include previous imap(s), file system superblocks, and so forth.

As shown in FIG. 6, how file content and metadata change from an initial time T0 610 to time T1 611 as content is added is illustrated. Deletion of content follows a similar path.

The diagram 600 shows both object store 108 components, and namespace 107 components, separated by the interface 152.

At time T0 610, root directory root0 640 has two files FOO 641 and BAR 642. The file FOO 641 in turn is comprised of content broken up into objects P 652 and Q 655. Object names for P 652 and Q 655 are stored in FOO's 641 mapping table, illustrated previously (drawing 400). Similarly, file BAR 642 has content Q 655. The root directory 640 is also an object, denoted by ROOT 653. Similarly, the files (hnodes) FOO 641 and BAR 642 are represented in objects 651 and 654 respectively. The initial imap0 502 a is also represented in an object imap0 650, as is the root directory root0 640 has an object root0 653.

As the object Q 655 is common to both files FOO 641 and BAR 642, it has reference count of 2, where as object P 652 only has a reference count of 1 at time T0 610.

The root directory 640 contains two entries, one for each of FOO and BAR. FOO's entry has a inode index of 4, and BAR's inode entry is 9.

The imap0 502 a is an hnode, and is stored as such as an object 650. To avoid complicating the drawing, although the imap is an hnode, and an hnode may map onto many objects, it is shown here as one object.

By convention, the digest of the root directory is always stored at imap index 2. The digest of an imap enables full access to a file system. By reading the object associated with the imap, the root directory is obtained, and from there any subsequent directory and/or files. Furthermore, the digest of an imap precisely and unambiguously defines the content of the entire downstream file system.

Immutability: If for example, object Q changes, then the name changes (an object's name is a function of it's content). Any mapping tables that point to the modified Q now don't, and therefore the modified Q is not “visible”. Similar arguments apply to any object that is reference able by the digest of an imap.

At time T1 611, file BAR 642 has content S 658 appended to it, so that a new file BAR 644 is created. A new file BAR must be created so that digests and object names are consistent. As new content S 658 is added, everything that references it is also updated and a new version created. This applies to a newer version of BAR 644, the root directory 643, and most importantly, a new imap table 502 b. Object reference counts 614 at time T0 610 are adjusted as content is added/removed, so that at time T1 611 object reference counts 615 represent content that is unique to T0, unique to T1 and content that is in common.

At time T1 611, there are essentially two file systems that have a lot of common content. The two file systems are fully specified by the digests of their respective imaps, imap0 502 a and imap1 502 b. For example, at time T0 610 object Q 655 can be referenced through paths (640 a, 641 b), (640 b, 642 a), (643 a, 641 b) and (643 b, 644 a).

As a file's content is modified (added, deleted, modified), the file's mapping table is also changed. In turn the object containing the file mapping, the hnode, also changes. For various reasons (performance, management interfaces), it may not be appropriate to propagate every change all the way up the tree to the root directory and into the imap. However, if done on every 10 transaction, the system implicitly implements a CDP, where every digest of the imap represents a particular 10 transaction. If done periodically (e.g., every hour or so), on demand, or on particular events (file close), then the behavior is similar to file system snapshots.

As objects have reference counts, to the extent there are identical objects, deduplication is native to the system. As a file system changes as a result of modifications, for the most part, only the changes will result in new content being added to the storage pool.

In FIG. 7, drawing 700 illustrates an object. An object 701 is a sequence of opaque, binary data. Object sizes are arbitrary, although in a preferred implementation they may be a power of 2 in size to make allocation and persistent storage management easier.

To the user of the object, the content is always read, written and accessed in the clear. The object store internally stores the object in a form that may include optional compression and/or encryption. Thus, what may appear to the user as a 2048 byte object is stored internally as 512 bytes of data (assuming a 4:1 compression ratio), that is further encrypted. An object store is an encryption domain, meaning that all objects are treated similarly with respect to encryption. This is distinct from any encryption that the callers of the object may use.

In FIG. 8, drawing 800 shows how the integrated file system may be developed in user space. Using the open source FUSE framework, the namespace file system 107 is linked against the user mode FUSE library 802. The namespace file system has the same private interface 152 to the object store 108. Object store 108 also has the same interface 153 to the DICE library 310. The DICE library may optionally use hardware assist 113.

Hardware Assist

The file system has two areas that benefit from hardware acceleration.

The first is a compute component. Significant CPU resources are spent on cryptographic hashing, compression, and encryption. Faster CPU clocks and more CPU cores alleviate this up to a point, but as performance requirements increase, offloading some or all of these functions to dedicated hardware is desirable. There are several commercial chipsets (e.g., Hifn, Cavium) that can accomplish this.

The object store index can be large, and can quickly exceed practical memory limits. A global object index (i.e., an index for all the storage) is read and written randomly (the primary key for such an index is a cryptographic hash, which have a random distribution), making paging and caching algorithms ineffective. Placing such an index on faster non-volatile storage, such as a Solid State Disk (SSD) has some performance benefits.

SSDs are constructed such that read rates are significantly higher than write rates (i.e., Seagate xxx can deliver 35,000 iops/read and 3000 iops/write). If index access is evenly divided between reads and writes, then many of the benefits of an SSD are not realized.

A custom built indexing solution, made of FLASH and an FPGA can increase the indexing bandwidth even further.

Hardware assist is managed by the DICE 310 library.

Embodiments of the invention can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Embodiments of the invention can be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.

Method steps of embodiments of the invention can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by, and apparatus of the invention can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit).

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and anyone or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in special purpose logic circuitry.

It is to be understood that the foregoing description is intended to illustrate and not to limit the scope of the invention. 

1. A file system comprising: a digitally signed file system in which data, metadata and files are objects, each object having a globally unique and content-derived fingerprint and wherein object references are mapped by the fingerprints; the file system having a root object comprising a mapping of all object fingerprints in the file system; wherein a change to the file system results in a change in the root object, and tracking changes in the root object provides a history of file system activity.
 2. The file system of claim 1, wherein: the file system includes an inode map object comprising a mapping of inode numbers to file object fingerprints and wherein the fingerprint of the inode map object comprises a snapshot of the file system.
 3. A computer-readable medium containing executable program instructions for a method of indexing stored objects, the method comprising: providing data, metadata and files as objects; providing a fingerprint for each object which is globally unique and derived from the content of the object; and wherein a file system root object is provided comprising a mapping of all object fingerprints in the file system, such that a change to the file system results in a change in the root object, and tracking changes in the root object provides a history of file system activity.
 4. The medium of claim 3, including: providing a file system inode map object comprising a mapping of inode numbers to file object fingerprints, wherein the fingerprint of the inode map object comprises a snapshot of the file system.
 5. The medium of claim 4, including: publishing the inode map fingerprint to another computer system on a distinct object store.
 6. The medium of claim 4, including: using the inode map fingerprint as a snapshot of the file system for disaster recovery.
 7. The medium of claim 4, wherein: the inode map object contains a fingerprint of a previous inode map.
 8. The medium of claim 7, wherein: the previous inode map fingerprints comprise a history of snapshots of the file system.
 9. The medium of claim 4, wherein: the objects have reference counts; and upon a change to the file system, adjusting the object reference counts of every object beneath the inode map object.
 10. The medium of claim 9, wherein: the adjusting is performed on every IO transaction to provide continuous data protection.
 11. The medium of claim 9, wherein: the adjusting is performed periodically, on demand, or on particular events to generate snapshots.
 12. The medium of claim 4, wherein: the objects have reference counts; and adjustments to the reference counts are utilized for data deduplication such that only new data content is stored.
 13. A computer file system for naming and storing of files on one or more computer storage devices, the system comprising: a namespace file system wherein files, data and metadata are objects, each object having a globally unique fingerprint derived from the content of the object, each file object comprising a mapping of object fingerprints for the data objects and/or metadata objects of the file and the file object having its own object fingerprint derived from the fingerprints of the objects in the file, and wherein the system includes a mapping of inode numbers to the file object fingerprints.
 14. The file system of claim 13, wherein: object references are defined by the object fingerprints.
 15. The file system of claim 13, wherein: the file object mapping comprises a linear list, a tree structure or an indirection table.
 16. The file system of claim 13, wherein: the file objects include a root object having its own object fingerprint derived from all of the objects in the file system such that every object in the file system is accessible through the root object.
 17. The file system of claim 13, wherein: the namespace file system is provided as a layer in a storage stack between a virtual file system layer and a block storage abstraction layer.
 18. The file system of claim 13, further comprising: an object store containing an index of object fingerprints, object locations and object reference counts.
 19. The file system of claim 18, wherein: the object store index is stored in non-volatile memory.
 20. The file system of claim 13, wherein: the fingerprint is an cryptographic hash digest of the object content.
 21. The file system of claim 13, wherein: the object size is variable.
 22. The file system of claim 13, wherein: the file system is a POSIX compliant file system.
 23. A method comprising: generating object fingerprints for data objects in a file system, the data objects comprising data or metadata, and the object fingerprints comprising a globally unique fingerprint derived from the data object content; generating object fingerprints for file objects, wherein each file object comprises the fingerprints of a plurality of the data objects in the file and the file object fingerprint comprises a globally unique fingerprint derived from the file object content; and generating a root object comprising a mapping of all the object fingerprints in the file system.
 24. The method of claim 23, including: maintaining a reference count for each object, and updating the object's reference count when references to the object are added or deleted.
 25. The method of claim 24, including: generating a transaction log of object activity, including reads, writes, deletes and reference count updates.
 26. The method of claim 23, including: adding, modifying or deleting a data object in a file and generating a new file object fingerprint.
 27. The method of claim 23, including: when the content of a file object or data object is changed, propagating the change up to the root object.
 28. The method of claim 27, including: performing the propagating step at one of: every I/O transaction; periodically; on demand; at a particular event.
 29. A method comprising: providing a plurality of data objects, each data object comprising data or metadata, and each data object having a fingerprint which is globally unique and derived from its content; and generating a file object comprising a plurality of data object fingerprints for a plurality of associated data objects, and generating a file object fingerprint which is globally unique and derived from the content of the file object; and maintaining an index of inode numbers to file object fingerprints.
 30. The method of claim 29, comprising: maintaining a location index for mapping object fingerprints and physical locations of the objects.
 31. The method of claim 30, wherein: the location index includes reference counts for the objects.
 32. The method of claim 31, wherein: the fingerprints and indices comprise a file system.
 33. A computer program product comprising program code means which, when executed by a process, performs the steps of method claim
 29. 34. A computer-readable medium containing executable program instructions for a method of indexing stored objects, the method comprising: generating fingerprints which are globally unique and derived from the content of data and metadata objects; generating file objects comprising a plurality of fingerprints of data and/or metadata objects and generating fingerprints of the file objects which are globally unique and derived for the content of the file object; and generating a root object comprising a mapping of all the fingerprints of the data, metadata and file objects.
 35. A system comprising: physical processor and storage devices providing access to data, metadata and files; and wherein the data, metadata and files are objects, each object having a globally unique and content-derived fingerprint and wherein object references are indexed by the fingerprints; and the indexing includes mapping of inode numbers to the file object fingerprints.
 36. A file system comprising: a processing and storage apparatus for naming and storing data objects and collections of data objects comprising file objects, each data object comprising data or metadata and each object having a content-based globally unique fingerprint as its object name, the file object being a collection of data object names and having its own content-based globally unique fingerprint as its file object name; a file system having two layers including: an object store layer including a mapping index of object names and physical object locations; and a namespace layer including a mapping index of data object names for each file object.
 37. The system of claim 36, wherein: the namespace layer includes a mapping index of inode numbers to the file object names.
 38. The system of claim 36, wherein: the object store layer includes reference counts for each object.
 39. The system of claim 36, wherein: the object name is a cryptographic hash digest of the object content.
 40. The system of claim 36, wherein: the system includes hardware acceleration apparatus to perform for one or more of object naming, compression and encryption.
 41. The system of claim 36, wherein: the object store layer includes a global index of all objects in the file system, wherein the primary key for the global object index is the object name, and the object name is a cryptographic hash digest of the object content. 